The responsibility of the federated authenticators is to authenticate the user with an external system. This can be with Facebook, Google, Yahoo, LinkedIn, Twitter, Salesforce or any other identity provider as follows.
Federated authenticators are decoupled from the Inbound Authenticators. Once the initial request is handed over to the authentication framework from an inbound authenticator, the authentication framework talks to the service provider configuration component to find the set of federated authenticators registered with the service provider corresponding to the current authentication request. As an example, a user tries to log in to his email account. So email service provider sends an authentication request to the Identity Server. After going through service provider configuration, Twitter is selected as the Identity Provider for this service provider. Then the Twitter federated authenticator will authenticate the user using Twitter. After successful authentication Identity Server will return the authentication result to the service provider so that user will able to access his emails.
Importance of federated authentications
A federated authenticator has no value unless it is associated with an identity provider. For example, the Identity Server supports SAML 2.0, OpenID Connect, OAuth 2.0 and WS-Federation (passive). The SAML 2.0 federated authenticator itself has no value, it has to be associated with an identity provider who can provide a SAML 2.0 assertion. Google Apps can be an identity provider with the SAML 2.0 federated authenticator. This federated authenticator knows how to generate a SAML request to the Google Apps and process a SAML response from it.
Using WSO2 Identity Server for federation
There are two parts in a federated authenticator.
- Request Builder
- Response Processor
Once the federation authentication is successfully completed, the federated authenticator notifies the authentication framework. The framework can now decide that no more authentication is required and hand over the control to the corresponding response builder of the inbound authenticator. Both the request builder and the response processor are protocol aware, while the authentication framework is not coupled to any protocol. See Architecture for more information on this overall process.
Configure WSO2 Identity Server for federation
To navigate to the federated authenticators configuration section, do the following.
- Sign in. Enter your username and password to log on to the Management Console.
- Navigate to the Main menu to access the Identity menu. Click Add under Identity Providers.
For more information, see Adding and Configuring an Identity Provider.
Fill in the details in the Basic Information section.
You can configure the following federated authenticators by expanding the Federated Authenticators section followed by the required subsections.
More Federated Authenticators
Note: OpenID 2.0 has been removed from the base product in this release (WSO2 Identity Server 5.3.0) as it is now an obsolete specification and has been superseded by OpenID Connect. Alternatively, we recommend using OpenIDConnect instead.
- Configuring SAML 2.0 Web SSO
- Configuring OAuth2-OpenID Connect
- Configuring WS-Federation
- Configuring Facebook
- Configuring Microsoft Windows Live
- Configuring Google
- Configuring IWA on Linux
- Configuring Office365
- Configuring Yammer
- Configuring SMSOTP
- Configuring Email OTP
- Configuring Twitter
- Configuring Yahoo
- Configuring Token2